Skip to content

G0083 SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.12

Item Value
ID G0083
Associated Names
Version 1.1
Created 29 January 2019
Last Modified 19 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SilverTerrier uses HTTP for C2 communications.1
enterprise T1071.002 File Transfer Protocols SilverTerrier uses FTP for C2 communications.1
enterprise T1071.003 Mail Protocols SilverTerrier uses SMTP for C2 communications.1

Software

ID Name References Techniques
S0331 Agent Tesla 1 Local Account:Account Discovery Mail Protocols:Application Layer Protocol Web Protocols:Application Layer Protocol Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Clipboard Data Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Deobfuscate/Decode Files or Information Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exploitation for Client Execution Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Spearphishing Attachment:Phishing Process Discovery Process Hollowing:Process Injection Process Injection Scheduled Task:Scheduled Task/Job Screen Capture Regsvcs/Regasm:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery Credentials In Files:Unsecured Credentials Credentials in Registry:Unsecured Credentials Malicious File:User Execution Video Capture Virtualization/Sandbox Evasion Windows Management Instrumentation
S0334 DarkComet 1 Web Protocols:Application Layer Protocol Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Disable or Modify System Firewall:Impair Defenses Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Modify Registry Software Packing:Obfuscated Files or Information Process Discovery Remote Desktop Protocol:Remote Services System Information Discovery System Owner/User Discovery Video Capture
S0447 Lokibot 1 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Software Packing:Obfuscated Files or Information Obfuscated Files or Information Spearphishing Attachment:Phishing Process Hollowing:Process Injection Reflective Code Loading Scheduled Task/Job Scheduled Task:Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Owner/User Discovery Malicious File:User Execution Time Based Evasion:Virtualization/Sandbox Evasion
S0336 NanoCore 1 Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Disable or Modify Tools:Impair Defenses Disable or Modify System Firewall:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information System Network Configuration Discovery Video Capture
S0198 NETWIRE 1 Web Protocols:Application Layer Protocol Application Window Discovery Archive Collected Data Archive via Custom Method:Archive Collected Data Automated Collection XDG Autostart Entries:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Login Items:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter Launch Agent:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Local Data Staging:Data Staged Encrypted Channel Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Invalid Code Signature:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Non-Application Layer Protocol Software Packing:Obfuscated Files or Information Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Proxy Scheduled Task:Scheduled Task/Job Cron:Scheduled Task/Job Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery Malicious File:User Execution Malicious Link:User Execution Web Service

References

  1. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018. 

  2. Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018.